Business

New Year, new broom - the the dreaded GDPR

WE’VE landed in 2018 and so far so good. The world hasn’t ended (yet), all that Christmas excess is in the rear view mirror and we are looking forward to putting whatever resolutions we professed, to anyone who would listen, into action.

And at work it’s time to start addressing all those things that you may have filed in your ‘to do’ box, and boy can it be tricky trying to prioritise what’s most urgent for the year ahead.

If it’s any help to your planning; then one thing you most definitely will need to look at (if you haven’t started already) is your preparation for GDPR. The General Data Protection Regulations replace the current Data Protection Act (1998) and will be enforced come May 25 this year.

What’s the big deal (I’m sure you are asking)? Well, for one, the penalties associated with falling foul of the GDPR are significantly higher than those for breaching the DPA. You may be subject to fines of up to €20 million or 4 per cent of your global annual turnover, whichever is greater. It’s the latter part that should make international firms sit up and take notice as fines will not simply be ring-fenced to the turnover of the UK/European side of the business.

So what do I need to do? Unfortunately there has been a lot of noise made about GDPR but very little concrete guidance regarding how the regulations should be interpreted in real life. Essentially you will need to review all personal data (physically or electronically) you have stored about individuals; whether they work for your company or not.

You will need to have solid policies and procedures in place and good justification for what you do with the information. The key watchwords are ‘consent’, ‘transparency’ and ‘accountability’. Keep these in your head as individuals will have much greater rights.

And this can be a big job for companies. Just think about all the areas your HR department alone requests, collects and stores personal data: recruitment, discipline, grievance, benefits, performance, reward, training etc. Then think about all the other departments in your company from marketing through safety, sales, customer service and beyond. Each dDepartment will need to consider the same questions; it’s not just a HR issue.

Don’t despair that this is impossible however; it’s not. First thing to do is make someone (or a team) responsible for making the company GDPR ready (and ensure senior management realise how important this is, so they give suitable backing). Then start reviewing what, why, how, where and when you currently source, store and destroy your data. Also make sure you take some professional advice; there are numerous courses, seminars and consultants out there who can help. This will give you a solid platform and allow you to action plan ahead. But don’t leave it too late – May is less than half a year away.

Now, finally, some folks may think: "Aha! We will not be in Europe for long Barry. All we need to do is just keep ourselves right for a few years until Brexit is finalised".

Well, if that’s your take on me warning you about GDPR then you may be correct; no one knows at this point exactly what will happen when we are no longer subject to EU legislative rulings.

But there is every chance that what replaces the GDPR will simply mirror what is already in place. There is also the fact that there will be no transition period. From May 25 you can be nailed for non-compliance. End of story. And it’s a fairly safe bet that Brexit won’t have happened by then.

:: Barry Shannon (bshannon@cayan.com) is HR director at Cayan in Belfast